Hide Forgot
In my shared webhosting scenario I have set up several services to query a MySQL Database for user and password info. It seems that as soon as an application is linked to the mysql client libs and tries to perform a database lookup it tries to open the mysql configuration file my.cnf. SELinux' current policy denies this access making the lookup fail. I'd opt for a boolean that allows access to the my.cnf for such services. So far audit2allow gives me the following: allow dovecot_t mysqld_etc_t:file { read getattr open }; allow groupadd_t mysqld_etc_t:file { read getattr open }; allow local_login_t mysqld_etc_t:file { read getattr open }; allow named_t mysqld_etc_t:file { read getattr open }; allow pam_console_t mysqld_etc_t:file { read getattr open }; allow postfix_bounce_t mysqld_etc_t:file { read getattr open }; allow postfix_cleanup_t mysqld_etc_t:file { read getattr open }; allow postfix_master_t mysqld_etc_t:file { read getattr open }; allow postfix_pickup_t mysqld_etc_t:file { read getattr open }; allow postfix_qmgr_t mysqld_etc_t:file { read getattr open }; allow postfix_smtpd_t mysqld_etc_t:file { read getattr open }; allow postfix_smtp_t mysqld_etc_t:file { read getattr open }; allow procmail_t mysqld_etc_t:file { read getattr open }; allow sendmail_t mysqld_etc_t:file { read getattr open }; allow sshd_t mysqld_etc_t:file { read getattr open }; allow system_dbusd_t mysqld_etc_t:file { read getattr open }; allow useradd_t mysqld_etc_t:file { read getattr open }; Versions: selinux-policy-3.10.0-51.fc16.noarch selinux-policy-targeted-3.10.0-51.fc16.noarch
Add a policy for this cat mynsswitch.te policy_module(mynsswitch, 1.0) gen_require(` attribute nsswitch_domain; ') mysql_read_config(nsswitch_domain)
Works for me and so far I'm happy with the solution. Closing.